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Abstract 

As mobile devices pervade physical space, the familiar authentication 
patterns are becoming insufficient: besides entity authentication, many 
applications require, e.g., location authentication. Many interesting pro- 
tocols have been proposed and implemented to provide such strengthened 
forms of authentication, but there are very few proofs that such protocols 
satisfy the required security properties. In some cases, the proofs can 
be provided in the symbolic model. More often, various physical factors 
invalidate the perfect cryptography assumption, and the symbolic model 
does not apply. In such cases, the protocol cannot be secure in an abso- 
lute logical sense, but only with a high probability. But while probabilistic 
reasoning is thus necessary, the analysis in the full computational model 
may not be warranted, since the protocol security does not depend on 
any computational assumptions, or on attacker's computational power, 
but only on some guessing chances. 

We refine the Dolev-Yao algebraic method for protocol analysis by 
a probabilistic model of guessing, needed to analyze protocols that mix 
weak cryptography with physical properties of nonstandard communica- 
tion channels. Applying this model, we provide a precise security proof 
for a proximity authentication protocol, due to Hancke and Kuhn, that 
uses probabilistic reasoning to achieve its goals. 



1 Introduction 

Two paradigms of security. Traditionally, two paradigms have been used 
for proving protocol security. The first one, captured by the symbolic model, 
commonly known as "Dolev-Yao" , describes both protocol and attacker in terms 
of an algebraic theory [16]. While this has been criticized as crude, it is often 
highly effective and easily automated. The other paradigm, captured by the 
computational model, usually relies on some notion of indistinguishability from 
the point of view of a computationally limited attacker [3D] . Recently, a lot of 
research [31133], starting with [I], has been devoted to drawing the two paradigms 
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closer together. This strategy has generally been to rely upon crypto-algorithms 
that themselves satisfy strong enough definitions of security, so that, if used in 
the proper way, they can be treated as Dolev-Yao "black boxes" . 

Problem of pervasive security. However, there is an emerging class of secu- 
rity protocols for which it seems difficult to bring these two paradigms together. 
Such protocols arise in heterogenous networks of diverse computational and 
communication devices, with mixed type channels between them [3U]. Nowa- 
days ubiquitous, such networks can be viewed as a realization of Doug Engel- 
bart's visionary idea of smart space and pervasive computation |18j . The spatial 
aspects of computation give rise to a new family of security problems, where 
the standard authentication requirements need to be strengthened by proofs 
of spatial proximity. In some cases, it has been possible to refine symbolic 
methods to get stronger proofs [27J • But there are other cases that resist 
symbolic analysis. One such case is the Hancke-Kuhn distance bounding protocol 
[23], which we analyze in the present paper. The protocol consists of a timed 
challenge-response exchange in which a prover Peggy needs to convince a verifier 
Victor that she is in the vicinity. Peggy's rapid response to Victor's challenge 
is implemented using a rapidly computable function. The requirement that 
the function must be rapidly computable turns out to weaken it cryptographi- 
cally. One of the main requirements of cryptographic strength is diffusion: for 
a boolean function, each bit of the output should depend on each bit of the 
input 39 . But a function that has to wait for the last bit of its input before it 
produces the first bit of its output is not rapidly computable. The other way 
around, an on-line function, that produces its output while still receiving its 
input, is easier to compute, but cannot be cryptographically strong. So there is 
a tradeoff between cryptographic strength and rapid computability. We explore 
this tradeoff in Sec. El and quantify the information leakage of on-line functions. 
The Hancke-Kuhn protocol is based on such a function. 

Already in the original presentation [23] of their protocol, Hancke and Kuhn 
wrote down an estimate of the attacker's chance to guess a response bit. How- 
ever, besides attempting to guess some bits of the response, the attacker may 
also attempt to guess the secret on which the response is based. Moreover, he 
may attempt his guesses directly, or make use of the responses stored from other 
sessions. Last but not least, he may collude with Peggy. Towards a precise se- 
curity proof, the diverse strategies available to the attacker must be evaluated 
together, and exhaustively. This requires a formal model of protocol execution. 

Bayesian security. But what model to use? The symbolic model cannot be 
used because the perfect cryptography assumption is not validated by the on- 
line function, which is the central feature of the protocol. On the other hand, 
the cryptographic strength and weakness of this function, and the resulting 
security and insecurity of their protocol, does not have anything to do with any 
computational assumptions, or with the computational power of the adversary: 
it only depends on guessing chances, which cannot be essentially increased by 
computational power. Thus using the computational model does not contribute 
to the analysis of the central feature of the protocol, although it does apply to 
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any implementation. 

The most natural model for analyzing the Hancke-Kuhn protocol that we 
came up with extends the symbolic model by a rudimentary probabilistic the- 
ory of guessing. It retains the perfect cryptography assumption for the standard 
cryptographic primitives used in the protocol, in particular for the keyed hash 
function. In a probabilistic context, though, the perfect cryptography assump- 
tion means that the output distributions of the relevant cryptographic primitives 
are statistically indistinguishable from the uniform distribution. Assuming this 
for the hash function used in the protocol brings us close to the random oracle 
assumption, often used in computational analyses [1] . There is a sense in which 
the random oracle assumption can be construed as the probabilistic version of 
the perfect cryptography assumption. 

In summary, we contend that the simplest model capturing the central fea- 
tures of the Hancke-Kuhn authentication protocol must be probabilistic, but 
need not be computational. The probabilistic model that we propose is an ex- 
tension of the symbolic theories used in our previous work [25J [5J [2H] ■ On the 
other hand, a version of the standard computational model can be obtained as 
an extension of this probabilistic model (by distinguishing a submonoid of feasi- 
ble functions within our monoid of randomized boolean functions) . It should be 
noted that these logical maps between the models go in the opposite direction 
from those in the explorations of the computational soundness of the various 
fragments of the symbolic model [H 15] 138] . In such explorations, the symbolic 
languages are mapped (interpreted) in the computational language; here, a more 
concrete model is mapped onto a more abstract model, which is its quotient, 
just like blocks of low-level code are mapped onto the expressions of a high-level 
programming language, or like more concrete state machines are mapped on 
more abstract state machines [2§J [3D] ■ It follows that anything proven about 
the abstract model remains valid about its more concrete implementations: e.g., 
the Bayesian reasoning about secrecy remains valid in the computational model 

- provided that the assumed randomness of the hash function can be vali- 
dated. This proviso is, of course, not satisfied in practice, since cryptographic 
hash functions are not truly random. The task, thus, remains to strengthen 
or refine the reasoning as to be able to discharge such unrealistic assumptions. 
This logical strategy was discusssed in (26l [8]. While not widely accepted in 
security, this is a standard approach to refinement based software development: 
e.g., Euclid's algorithm is usually described assuming the ring of integers; but 
the assumption that there are infinitely many integers must be discharged before 
the algorithm is implemented in a real computer. 

The space does not allow us to delve into the details of this approach, as 
applied to security. They will be presented elsewhere. In the present paper, 
we attempt to present a very special instance of this approach, where a modest 
probabilistic extension of the symbolic model suffices for the problem at hand 

— yet it leads to an essentially different reasoning framework, with bayesian 
derivations instead of logical. The resulting technical divergence, mitigated by 
the conceptual guidance from the underlying simpler model, should be viewed as 
one of the main features of the incremental approach, pursued in the Protocol 
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Derivation Logic (PDL) [25J HI Hi]. In [27], PDL was already used to ana- 
lyze distance bounding protocols, similar to Hancke-Kuhn's, and for reasoning 
about pervasive security in general. An interesting feature of the current prob- 
abilistic extension of PDL is that the concept of guards, originally developed 
for reasoning about secrecy [25] , now provides a crucial stepping stone into our 
analysis of guessing chances, and of the concrete authentication guarantees in 
the Hancke-Kuhn protocol in Sec. [6] as well as in the abstract view of symbolic 
authentication in Thm. 13.41 

Related work. As already mentioned, the closest relative of the PDL formal- 
ism, underlying this work, and briefly summarized in Sec. [3] is PCL [T71H3l[T2] . 
Both formalisms owe a lot to strand spaces [19) . in spirit, and in execution mod- 
els, although the logical methods diverge. Our probabilistic extension of PDL is 
predated by the probabilistic extension of PCL in [I3] . and by the probabilistic 
extension of strand spaces in 22 . But each of the three probabilistic approaches 
has a different intent, and a completely different implementation, conceptually 
and technically. It would be interesting to explore these differences more closely, 
as some tasks may yield to combined modeling methods. 

Paper outline. The paper continues with a review of distance bounding au- 
thentication, and a description of the Hancke-Kuhn protocol. In Sec. [3] we 
provide a brief overview of the derivational method of protocol analysis, and of 
PDL. We also recall the algebraic notions of derivability and guards, originally 
used for derivational analyses of secrecy, and here adapted for authenticity. The 
probabilistic versions of these notions are introduced in Sec. [4] and then used 
to model guessing. The gathered tools are then put to use. In Sec. [5] we an- 
alyze the information leakage of on-line functions in general, and characterize 
the Hancke-Kuhn function among them. In Sec. [6j we quantify the authenti- 
cation achieved in the Hancke-Kuhn protocol. Sec. [7J closes the paper with a 
summary of the results and a discussion of the extensions. All proofs are in the 
Appendix. 

2 The Hancke-Kuhn protocol 
2.1 Background 

In a man-in-the-middle attack on a challenge-response protocol, the attacker 
relays messages, sometimes modified, between the legitimate participants. If 
resending a message takes time, the legitimate participants may observe slower 
traffic. This has been proposed as a method to prevent man-in-the-middle 
attacks. In particular, the challenger can measure the presumed round trip of 
his challenge and of responder's response, and compute a maximal distance of 
the responder, assuming an upper bound on the message velocity. This can 
assure the authenticity of the response, if it is known that the attacker cannot 
be too close. This is the idea of distance bounding [15| [5] . The early security 
analyses of distance bounding protocols go back to the early 1990s [5J. The 
interest in this type of authentication re-emerged recently, with the task of 
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device pairing and a genuine need for proximity authentication in pervasive 
networks [34j H [10l [23l [2U [27l [37j [9j etc.]. From the outset, the basic idea 
of distance bounding was to combine some cryptographic authentication tools, 
such as hashes or signatures, with a physical constraint, such as the limited speed 
of message exchange. Most distance bounding protocols [51|7||27] implement this 
combination by using two channel types: the standard network channels for the 
cryptographic authentication, and the timed channels for the rapid response. 
The Hancke-Kuhn protocol [53] stands out by it simplicity, and by the fact that 
both cryptographic data and the rapid response are sent on the timed channel. 
This, however, comes for the price of information leakage, which makes the 
security analysis interesting. 

2.2 The protocol 

As mentioned before, the goal of the Hancke-Kuhn protocol is that the prover 
Peggy proves to the verifier Victor that she is nearby. It is assumed that Peggy 
and Victor share a long term secret s, and a public hash function H. The 
relevant security requirement from H will turn out to be a version of the range 
preimage resistance [33) . The simplest way to present a protocol session is to 
view it in two stages. 

In the first stage, Peggy and Victor exchange values a and b, which can be 
predictable for the attacker, but must never be reused by Peggy and Victor 
in more than one protocol session. The values a and b can thus be viewed as 
counters. 
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Figure 1: Hancke-Kuhn protocol: Second Stage 



In the second stage, Peggy and Victor both form the hash h — H(s :: a :: b) 
and proceed with the exchange on Fig. [TJ If Victor's challenge x = (xi) 6 Z| 
is a bitstring of length i, then the hash h should be 2£ bits long which we view 
as a concatenation h = :: ht 1 ' g l2f of two strings of t bits. The function 
ffl : Z| x "Lf — > Z| is defined bitwise for i = 1, 2, ... ,£ by 

(xmh)i = hf^ (1) 
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To summarize Fig. [TJ 

• Victor generates a random bitstring x of length £, and sends each bit Xi 
of x at times t 4 . 

• To each bit Xi, Peggy responds with h\°^ if Xi — 0, and with if Xi = 1. 

• Victor receives Peggy's i-th bit response at time Tj. He knows /i as well, 
and can check that these responses are correct. If only he and Peggy know 
h, then the responder must be Peggy. He then uses the times between 
the sending the challenges and receiving the responses, together with the 
velocity of the message signal, to compute his distance from Peggy. 

2.3 Discussion 

Leaking information to the attacker. The crucial component of the pro- 
tocol is the Hancke-Kuhn function El. Its main feature is that it is rapidly 
computable, as efficiently as the exclusive or ©. It is thus as suitable for timed 
authentication as ©, but it also leaks information, although less than ffi: while x 
and x ffi g allow extracting g because g = x(Bx(Bg, x and x ffl h allow extracting 
only half of the bits of h. However, it is easy to see from (p} that from x, and 
x El h, and moreover (—<x) ffl h, the attacker can extract all of h. That is why 
Peggy and Victor must not reuse their counters. If h = H(s :: a :: b) can be 
used in two responses, then an attacker can challenge Peggy twice, first with x 
and then with ->x, and thus get x ffl h and (—<x) ffl h as the two responses. From 
this, he can extract h and impersonate Peggy to Victor. Even if the counters 
are never reused, the fact that half of the response bits can be acquired by 
an attacker needs to be carefully examined, and his chances to guess the rest 
evaluated. 

Overlooked assumption. Hancke and Kuhn's estimate that the probability 
that an attacker may succeed in impersonating Peggy is (j)^ relies on the 
implicit assumption that |x| < \s\. Otherwise, if \x\ > |s|, the attacker has 
better odds to guess s than x. In practice, of course, the assumption |a;| < \s\ 
is usually satisfied, because the secret s is usually at least 256 bits long, while 
the challenge x may be shorter. Strictly speaking, though, the impression that 
protocol's security only depends on the length of the challenge x is not correct, 
since a short secret s would make it vulnerable. 

Dishonest prover and the kernel. Another interesting weakness is that the 
value of Peggy's z-th response bit (x ffl h)i does not depend on Xi if h\ ^ — . 
A dishonest Peggy can thus analyze the hash h and respond without waiting 
for Xi whenever hf^ = hi . If the response time is averaged, she is likely to 
appear closer to Victor than she really is. 

Since Victor's counter b is predictable, Peggy can attempt to choose her own 
counter a to maximize the size of the kernel Kh of h — H(s :: a :: b), defined 

nh = {i<t\hP =h^} (2) 
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The larger the kernel, the closer Peggy can appear to Victor. However, the 
problem of finding a value a such that, for a fixed s and b, the image H(s :: a :: b) 
has a desired property is a version of the range preimage problem 33J. The 
assumption that H is a hash function, and in particular that it is a one-way 
function, implies that dishonest Peggy's advantage in finding a preimage a such 
that H(s :: a :: b), given s and b, falls within a desired range of strings with a 
large kernel, is negligible. This means that dishonest prover's manipulation of 
the kernel is unfeasible. 

Further ad hoc observations get more complicated, without providing any 
definite assurances. This demonstrates the need for a rigorous analysis within 
a formal model. 

Modeling the essence of the Hancke-Kuhn protocol. The assumption 
that H is a one-way function will turn out to be the only point where the se- 
curity of the Hancke-Kuhn protocol depends on computation. All other attack 
strategies only involve guessing chances. To show this, in the following sections 
we introduce a probabilistic (Bayesian) protocol model, which strictly extends 
the standard algebraic (symbolic) model, and is a strict fragment of the stan- 
dard computational model. The hash H is modeled as a randomized function, 
as defined in Sec. 2J The perfect cryptography assumption of the symbolic 
model lifts in our Bayesian model to the assumption that the hashes are truly 
random, which is, of course, analogous to the random oracle assumption in the 
computational model. It allows us to abstract away the generic and negligible 
vulnerabilities, and to focus on the interesting aspects of the security of the 
Hancke-Kuhn protocol, achieved in spite of the cryptographic weakness of the 
EH function as it central feature. 

3 Algebraic protocol models 

We analyze the Hancke-Kuhn protocol by the derivational method. The varied 
versions of this method have been applied to many protocols [TTJ [26j HI [T3l [12] . 
While the algebraic protocol model suffices in most cases, the Hancke-Kuhn 
protocol requires an evaluation of guessing chances. We attempt to find a simple 
model that will allow this. 

3.1 Message algebras 

In the Dolev-Yao protocol model, messages are represented as terms of a free 
algebra of encryption and decryption operations [IB]. More general algebraic 
models allow additional operations, and additional equations [TTj . Recall that 
an algebraic theory is a pair (O, E), where O is a set of finitary operations (given 
as symbols with arities), and E a set of well-formed equations (i.e. where each 
operation has a correct number of arguments) [31] ■ 

Definition 3.1 An algebraic theory T = (0,E) is called a message theory if 
O includes a binary operation of pairing (—,—), and the unary operations 7Ti 
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and 7T2, such that E contains the equations tti(u,v) — u, 7^(1*, v) — v, and 
((x, y) , z) — (x, (y, z)). A message algebra is a polynomial extension T[X] of a 
T-algebra T ■ 

Remarks. The third equation implies that there is a unique n-tupling operation 
for every n. The first two imply that the components of any tuple can be 
recovered. A polynomial extension T[X] is the free T-algebra generated by 
adjoining a set of indeterminates X to a, T-algebra T [2TJ §8]. The elements 
x, y, z . . . of X are used to represent nonces and other randomly generated values. 
This is justified by the fact that indeterminates can be consistently renamed: 
nothing changes if we permute them. That is just the property required from 
the random values generated in a run of a protocol 

3.2 Protocol models 

There are several protocol modeling formalisms that can be used for protocol 
derivations. The process calculus in [TTl [13] was designed specifically for this 
purpose. Strand spaces [T!5] were designed for a different purpose, but they can 
be adapted for protocol derivations too. In [251 [HI HE] we used partially ordered 
multisets (pomsets) of actions [3T] , which allow simple tool support [5] . We stick 
with this approach, but the subtle (or in some cases not so subtle) differences 
between these approaches are of no consequence here. For completeness, we 
provide a brief overview. For more detail, the reader may want to consult some 
of the mentioned references. 

In all cases, the set of actions A is generated over the message algebra T[X] 
by a grammar allowing each term t G T[X] to be sent in the action (t) G A, 
and received in the action (t) G A. Moreover, an indeterminate x G X can be 
introduced into a protocol by the binding action (vx) G A, which is read as 
" generate fresh x" . 

Challenge-response 

Fig. shows the abstract challenge-response protocol template, where the veri- 
fier Victor authenticates the prover Peggy. It is assumed that only Peggy is able 
to transform the fresh challenge c VP x into the response r VP x. This assumption 
is construed as a constraint on the operations c VP and r VP . The actions ((t)), 
and ((i)) are syntactic sugar for "send (resp. receive) a message from which 
anyone can extract t" . 

x Of course, this is not the only requirement imposed on nonces and random values. The 
other requirement is that they are known only locally, i.e. by those principals who generate 
them, or who receive them unencrypted. This requirement is not formalized within the algebra 
of messages, but by the binding rules of process calculus or actions by which the messages are 
sent ri"3ll28| . 
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Figure 2: CR template 



3.3 Views, derivability and guards 

As usual, the communication channels are assumed to be controlled by the 
attacker: she observes all sent messages, and controls their delivery. However, 
she may not be able to invert all operations, and she has no insight into the 
fresh or secret data of other principals. Hence the different views of the various 
protocol participants. 

A state a reached in a protocol execution is a lower closed pomset of actions 
executed up to that point, with an assignment of values to principals' local 
variables, which they use to store messages and their local computations. The 
view Tp of a principal P at a state a consists of all terms that P may have 
observed up to a, and all terms that she could derive from that. Formally, this 
last clause means that T P is upper closed under the derivability relation 

she ^=> vt g e B(p g ow a Sl ,..., Sn e s. t = <p( 8l ,...,a n ) (3) 

where S, 6 C T[X] are finite sets of terms, is the set of well-formed n-ary 
operations in the signature O, and the equation is derivable from E. 

Authentication by challenge-response 

The challenge-response protocol in Fig. [2] validates authentication if Victor is 
justified in drawing a global conclusion from his local observation: i.e., having 
observed his own actions in on the left, Victor should have good reasons to 
conclude that Peggy must have performed her actions on the right, and that all 
these actions should be ordered as on the figure. Intuitively, this conclusion of 
Victor's can be justified by the assumptions that 

1. anyone who originated the response r VP x had to previously receive the 
challenge c vp x, which could only happen after Victor sent this challenge; 

2. no one could produce r x without knowing the secret s VP , so it must 
be Peggy. 
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This last conclusion is based on the assumption that only Peggy knows s , or 
only Peggy and Victor. In both cases, Victor's reasoning is the same, because 
he knows that he did not send r VP x. 

Using the derivability relation, these informal justifications can be refined 
into slightly more formal proof obligations in terms of @, as follows. For any 
set of principals II, it is required that 

1. whenever there is a derivation S h r vp x, then there must also be a deriva- 
tion S h c vp x, for any set of terms S observed by II in a run of CR before 
r vp x is sent; 

2. whenever there is a derivation S, c vp x h r vp x, then there must also be a 
derivation 'E.,c VP x h s vp , for any set of terms S known to II in a run of 
CR before r vp x is sent. 

This type of authentication reasoning can be formalized using the notion of 
guards from [28] . 

Definition 3.2 We say that a set of sets of terms Q algebraically guards a 
term t with respect to a set of terms T, and write Q guards t within T if for all 
S C Tholds 

s h t =*► ar g g. h h r (4) 

Explanation. We say that, in a context C, Q guards t if every computation 
path to t leads through some element of Q. In other words, if 3 allows computing 
t, then it is "because" it allows computing some of t's guards from Q. 

Example. Let T = (DH) be the set of terms that may become known to the 
participants and eavesdroppers of a run of the Diffic-Hellman protocol. Then 

{{x,gy},{y,g x }} guards «f* within (DH) 

Note that g xy can be derived not only from {x,g v } and {y,g x } but also from 
{<?,£, y} and {g,xy}; however, neither of these sets can occur in a run of the 
Diffic-Hellman protocol between two honest principals, so they are not contained 
in the set T = (DH). 

Definition 3.3 Let Q be a protocol run, and A a set of actions in Q. The term 
context is the set 

Q(A) = \Jr L P u r^ 4 

Pen 

where II is the set of principals engaged in the run, T L p is the set of terms known 
to a principal P initially, and is the set of terms known to P before any of 
the actions a G A are executed in Q. 

Using the guard relation, we can prove that the challenge-response protocol 
validates authentication. 
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Theorem 3.4 Let Q be a run of the challenge-response protocol on Fig. [H 
Suppose that the functions c vp and r VP satisfy 

^{c VP x, s VP }| guards r VF x within Q(r VP x) 

where s vp is a secret known only to Peggy (and possibly to Victor). Then Victor 
is justified in drawing the following global conclusion from his local observations: 

V : {vx) v > (c VP x)v > (r VP x) v 

=*{{vx) v > {c vp x) v > {{c vp x)) P > {{r VP x)) t > (r vp x) v ) (cr) 

where the relation a > b says that action a occurs before action b, and ((m)}-^ 
denotes the first time P sends message m after creating it. 

The proof of this theorem is obtained by expanding the definition of the 
guard relation and analyzing the term context of the challenge-response proto- 
col. Several examples of reasoning with this relation can be found in |28j . 
Comment about perfect cryptography. The algebraic guard relation is 
based on the assumption that a term can only be derived algebraically, using 
the given operations and equations. A term t thus either lies in a subalgebra 
generated by a set of terms H, or not, and we have 

5 h t V 51/ 1 

This means that the attacks on the implementation of the term t are abstracted 
away. In particular, we assume that it is impossible to cryptanalyze the bit- 
strings representing t, and to derive t by accumulating partial information about 
it. In other words, we assume perfect cryptography. 

Moreover, we assume that the algebraic derivations Shi only use the equa- 
tions specified in the given algebraic theory T = (0,E). This means that the 
message algebra T is assumed to be a free T-algebra, or that it is computation- 
ally unfeasible for the attacker to find any additional equations that T satisfies, 
not specified in the theory T, and to use them in his derivations. This is roughly 
the pseudo-free algebra assumption [32] . 

Can we apply Thm. 13.41 to the Hancke-Kuhn protocol? The Hancke- 
Kuhn protocol on Fig. [T] is obviously a timed version of the challenge response 
template from Fig. [21 for which Thm. l3Tl provides a general security claim. If 
the guard condition holds, then the Theorem yields the security of the Hancke- 
Kuhn protocol. 

In the algebraic model, the attacker at a given state either knows a term, 
or not. As explained in Sec. [21 the attacker on the Hancke-Kuhn protocol may 
always obtain half of the bits of the secret shared by Victor and Peggy by 
challenging her. Does this mean that the attacker gets to know the secret? If 
not, then the guard condition is satisfied. To apply Thm. 13.41 we should thus 
set up the algebraic model so that a term is known only when all of its bits are 
known. 
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Howeber, the same security proof would also hold for a modified version of 
the Hanckc-Kuhn protocol, e.g. where x EB h = if x = a and x ffl h = 
otherwise, for some fixed a 6 Zj. The attacker still cannot algebraically derive 
the term x ffl h without x, because this term still depends on x. The guard 
condition holds, and thus the protocol is algebraically secure. In reality, though, 
the attacker who always responds with ftW will succeed with a probability 
greater than 1 — 2~^, assuming that the challenge x is drawn uniformly. The 
algebraic security of the Hancke-Kuhn type of protocols is not very realistic. 

4 Protocol models with guessing 

In this section we propose a probabilistic refinement of the guard relation, which 
captures and quantifies just the partial information leaks, like the one in the 
Hancke-Kuhn protocol, without adding any unnecessary conceptual machinery. 

4.1 Implementing and guessing messages 

In order to reason about the feasibility of the algebraic operations on messages, 
and about guessing, we consider the implementations of the messages t G T in 
an algebra f2 of strings, which carries the structure of a message T-algebra, and 
moreover set of randomized functions. 

For concreteness, we assume that O = Z2 is the set of bitstrings. However, 
any graded free monoid would do, since the only operations that we use are the 
concatenation and the length. 

4.1.1 Implementing messages 

Definition 4.1 Let H be a partially ordered set. We call an infinitely increasing 
chain ho < hi < hi < ■ ■ ■ in H a H -tower. We denote by the set of towers 
in H. 

Any free monoid O is partially ordered by the prefix relation 

a C b 4==^- 3c G £1. a :: c = b 

where a :: c can be viewed as the concatenation of the strings a and c. We call 
f2-towers streams. They are just infinite sequences of strings, strictly extending 
each other: a stream is a sequence a — {ae}eeN C S! N such that ai C af + i for 
all I. A stream a is called an £-stream if the length of ^-th element is exactly 
\ag\ = i. The set of streams through ft is denoted by fl u . 

N can be viewed as the special case, since a natural number can be viewed 
as a string of Is. The set N w consists of strictly increasing sequences of natural 
numbers. 

Definition 4.2 Let X be a set of indeterminates. Its strength is a map | — | : 
X — > N u , assigning to each indeterminate x for each value of the security 
parameter I <G N the required length \x\t G N. 
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An environment is a partial map r\ : X — Q u such that \r](x)i\ = \x\t 
whenever Tj(x)e is defined. 

An implementation of a T-algebra T is an injective T-algebra homomor- 

phism [-] : r >-> n u . 

An environment and an implementation induce a T-algebra homomorphism 
f—Jn '■ T[Xrj\ — > £l w , where X v C X is the domain of definition of n. We call 
this homomorphism an implementation too whenever it is injective. 

Explanations. The string w(x)i € is the implementation of the indetermi- 
nate x with the security parameter I. The number \x\t is the required length 
of x for the parameter I. The equation \n(x)i | = \x\e enforces this requirement. 
Note that the function | — | on the left is the length of the string in il, whereas 
the function | — \i on the right is the part of the environment, specifying the 
required length. 

The implementation of the algebra T assigns a unique string to each term. 
By definition of the polynomial algebra 7"[A^], every algebra homomorphism 
T — > U to another algebra U, and a function X n — > U induce a unique 
algebra homomorphism T[X V ] — > U. 

We assume that any implementation is effectively invertible, i.e. that it is 
easy to recognize a term t from its implementation \t\ . 

Since any algebraic operation on VL lifts to a pointwise operation over any 
power fi™, it also lifts to streams. So f2 w is also a T-algebra, and a monoid for 
(elementwise) concatenation!! 

Notation. When confusion seems unlikely, we ignore the difference between 
the indeterminates x, y . . . £ X and their environment values r)(x), rj(y) ... G 57. 

4.1.2 Randomized functions 

Consider the set of partial functions 

K = {f -.flxfl^n |VxVpiV/>a./(pi,o); A /(pa, a); => \ Pl \ = \p 2 \} 

where /(p, a) 4- means that / is defined on p, a, and |p| is the length of the 
bitstring p. The set 1Z is a monoid with the following composition operation 

f°g(P2 ■■ Pi,a) = f(p2,g(pi,a)) 

and with the function l (o, a) = a as the unit, where o denotes the empty 
string. We interpret the elements of 1Z as randomized functions over f2: the 
first argument p represents the random seed, and the second argument a is the 
actual input. The output fa can then be viewed as a random variable with the 
probability distribution 

?ro H fa = b ) = #{ ^ l/( g a) = 6} (5) 

2 Grading is not an algebraic operation, and it does not lift: the length of each stream is 
infinite. 
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where r is the length of all p for which f(p, a) is defined. Leaving the seed 
implicit, we denote randomized functions, as presented in 1Z, in the form / : 

Definition 4.3 ^4 stream of functions is a sequence f — {fe}e^ G which 
is monotone, in the sense that for all streams a, p G Q w , at every f eN holds 

ft(pt,ai) I A f£+i(pe+i,ae+i) I fe(pe,ae) C f i+1 (p e+1 , a i+1 ) 

We denote the monoid of streams of functions by TZ^ 1 . 



4.1.3 Indistinguishability 

Surviving the flood of negligible factors. Every subterm of every term 
in every security protocol can in principle be guessed. Such probabilities are 
usually tolerably small: they are negligible functions of some security parameter 
I. In probabilistic analyses, it is often convenient to ignore such events of neg- 
ligible probability. In a protocol analysis, tracking all terms and subterms that 
can be guessed with a negligible probability can lead to a lengthy list, without 
revealing anything non-negligible. In this section, we provide an underpinning 
for formal probabilistic reasoning up to negligible factors. 

The frequencies of events are established by repeated sampling. The number 
of samples needed for a reasonable estimate depends on a priori chance that 
the event will occur. If this chance is 1 in n, then the number of the needed 
sample is an increasing function of n. 

When sampling a stream a = {ae}eeN, we assume that a reasonable amount 
of samples should not be greater than q(£), where q is a function from a ri£0 
Q C N N . In cryptography it is customary to take Q = N[x], the polynomials 
with non-negative integer coefficients. Streams are thus sampled a polynomial 
number of times. If the probability that the difference between ae and bi will 
be detected in q(£) samples remains small for all £, then a = {a^g^ and 
b = {6^ are considered indistinguishable. In other words, a and b are indis- 
tinguishable if the probability that at and be are different is less than -^-^ for 
all q G Q. Now we formalize this intuition. 

Definition 4.4 A function v : N — > [0, 1] is said to be Q-negligible if it con- 
verges to faster than for all q G Q, i.e. 

Vo G Q 3n G N W > n. u(l) < -!- 

The set of Q-negligible functions is denoted by -q. The ordering on streams 
a, b G [0, 1] N is defined up to negligible functions, i.e. 

a<b 3v\/l. at + v{l) < b e 

3 A rig Q is a "ring without the negatives": it consists of two commutative monoid struc- 
tures, (Q, +, 0) and (Q, ■, 1), such that x ■ (y + z) = x ■ y + x ■ z and x ■ = 0. 
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We say that a,b G [0, 1] N are Q-indistinguishable, and write a ~ 6, if a <b and 
b < a, or equivalently 

a~b ^> 3i/W. |a< - < v{l) 

Assumption, examples. For simplicity, we take Q to be the rig N[x) of poly- 
nomials with non-negative integer coefficients, as it is usually taken in cryptog- 
raphy. Then, e.g., for a — {2 £ }£ £ n and b = {£~ 2 }een holds a ~ 0, but 6 ^ 0, 
where is viewed as the constrant sequence. 

Definition 4.5 Streams of functions f and g are indistinguishable if the se- 
quences Prob(/a = b) and Prob(ga = b) are indistinguishable for all streams 
a, b G We abbreviate 

f~g Va6 G Prob(/a = 6) - Prob(.aa = b) 

Definition 4.6 A flow is an equivalence class of streams of randomized func- 
tions. The flow monoid JZ is thus 

K = K u / - 
4.2 Probabilistic derivability 

In contrast with the algebraic derivability relation from Sec. 13.31 the proba- 
bilistic derivability relation docs capture partial information leaks, using the 
implementations of the terms. While 5 1/ may happen because some t E Q 
is not algebraically derivable from S, it may be easy to guess many bits of in- 
formation about from S. We formalize this by saying that for some stream 
of randomized functions / G 1Z, Prob(/jS] = |0J) is high. By assumption, the 
messages are easily decoded from their implementations [0J . So if some / is 
likely to output [0J on the input [SJ, then the chance to derive from S is 
high. This is what we want to capture by the following randomized derivability 
relation, which quantifies guessing chance. 

Let X(E) C X be the set of indeterminates that occur in 5. Any minimal 
environment rj in which the JS]^ is defined must be defined over <-f(S). Since 
for each I the required number of bits for each x G X(E) is fixed to \x\i, each 
r]£ must select the same number of bits 

\X(S)\ t = J2 \ X U 

xex(E) 

So there are 2^ x ^^ e environments to interpret S for the security parameter 
I. Our chance to guess from S is the probability that a flow / G TZ will 
output J0], ; when given the input [SJ, ( , for the random choices of r\. Hence the 
following definition. 
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Definition 4.7 The guessing chance [3 h 0] is the stream of probabilities 

viewed up to indistinguishability. 
We abbreviate [0 h 9] to [©] . 

Comment. It is assumed that the guesser evolves: he keeps finding better and 
better randomized functions ft, and thus computes the supremum in ^ as the 
time goes bjQ. 

Since the functions in the sequence compute on streams [SJ^, to- 

gether they form a stream of functions / G Tl", i.e. a flow /[SJ = 0. 

Examples. For any closed term t G T, i.e. such that (£) = 0, it holds that 
[t] =1. To see this, note that [t] is given in the empty environment 770, and 
thus A'(t) = implies \X(t)\i = for all £. By the assumption about 1Z, for 
every stream [t] G fi", the constant function stream /() = [t] is feasible. The 
supremum of © is reached at the constant function stream /() — p], and gives 
M = I /0=M> = 1. 

On the other hand, for every x G X holds [x\ e = 0. There are exactly 2> x \ e 
environments T) x , defined on x alone. To guess x without any inputs, we need a 
constant flow /, such that /() = \x\ = ^(x), i.e. a constant stream of functions 
flQ = 1x( x )e- Whichever / we may choose, exactly one environment rj x will 
give /() = r] x (x). So for every constant flow / holds ^fij^ - ^"^ = 

The supremum in ((6| is thus reached for all constant / G 72., and = -^p^- 
But the sequence {2 - l x l* } f£N is indistinguishable from 0, as pointed out after 

Def.rni 



4.2.1 Subbayesian reasoning and Advantage 
Proposition 4.8 For all sets of terms S,T, holds 

[Hhr].[H,rhe] < [shr.e] (7) 

When [r] > 0, it follows that 

[rhe] < M (8) 

The inequalities become equalities if S and have no indeterminates in com- 
mon. 



4 This kind of spontaneous optimization underlies dynamics of evolutionary processes in 
general I25| . 
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4.2.2 Advantage 

Definition 4.9 The advantage provided by a set of terms 5 in computing the 
terms G is the value 

Adv[s he] = [she] - [e] 

When this advantage is zero, we say that Q is flow independent of S, and write 

[e±o] Adv[s he]=o^ [s h e] = [e] 

4.3 Probabilistic guards 

The idea of the guard relation is that a term t is guarded by one of the guards 
from Q if whenever t is derived, then at least one of the guards r 6 Q is also 
derived. In the algebraic model, this was simple enough to state by Definition 
13.21 When t can be guessed, then this crude statement needs to be refined: 
the event that t is guessed must be preceded by the event that some T e Q is 
guessed. 

Definition 4.10 We say that a set of sets of terms Q guards (against guessing) 
a term t with respect to a set of terms T , and write Q guards t within T if for all 
S C T such that Adv [S h t] > holds 

[h hi] < V [H^r]-[H,rht] (9) 

res 

Explanation. In the algebraic case, ((4]) was an attempt to capture the intu- 
ition that Q guards t if all computational paths to t lead through some r G Q , 
assuming the context C. The above definition extends this attempt to compu- 
tational paths with guessing. If we get any help from S to guess t, then that 
help is not greater than the help we get from it to guess some guard T 6 Q of 
t first, and then to guess t from this guard. Applied to message theories with 
trivial implementations (e.g. with f2 = 1), Def. 14.101 boils down to Dcf. 13.21 in 
the sense that the guessing chance is always constantly or constantly 1, and 
© reduces to Q. 

Proposition 4.11 Suppose that the guessing machines J- used in ([6]) are con- 
strained to never read their random bits, so that guessing boils down to algebraic 
derivations. Then the guessing guard relation from (0) boils down to the alge- 
braic guard relation from |^). 

To simplify notation, we elide the environment subscripts from \—\ v when- 
ever r\ is inessential for the argument. 
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5 Partitioned functions and EB 



Notation. Whenever the confusion is unlikely, we abuse notation and denote 
by x both the indeterminate x G X and its implementation \x\ — rj(x) £ fl. 

In this section we analyze a class of quickly computable functions, like the 
one used in the Hancke-Kuhn protocol. One way to ensure that a function is 
quickly computable is to require that the bit dependency of its outputs from its 
inputs must be partitioned: the i-th block of output bits should only depend 
on the i-th block of input bits. Obviously, a function where every bit of output 
depends on every bit of input has to wait for the last bit of input before it can 
produce. Since in this section we are dealing with purely random input, our 
results arc presented in terms of streams, not flows. 

Definition 5.1 We say that a boolean function f : Z™ — > Z£ * s partitioned 
when 

m = mi + TO2 + • • • + mi 
n = m + n 2 + ■ ■ ■ + ng 
f = fi ■■ h ■■■■■■■ fe 

where fi : Z™ i — > Z^S for i — 1,2, . . .£ are independent on the inputs and the 
outputs of all other component functions, in the sense that [x-, fi(x-) _L fi{xi)\ , 
where % = \j < i\ j ^ i}. 

Clearly, a boolean function receiving its input string sequentially can already 
return the i-th block of its outputs while still receiving i+lst block of the inputs. 
Unfortunately, this convenient property also decreases cryptographic strength 
of the function, which requires that each bit of the output depends on each bit 
of the input [39) . In particular, knowing a value f(z) of a partitioned function 
increases the chance of guessing f(x). We make this precise in the next section. 

5.1 Guessing partitioned functions 

Proposition 5.2 (a) Let f be a randomized partitioned function, and let x, z G 
be fixed bitstrings with a common block Xi = G Zj. Then [x, z, f(z) h /(x)] > 

(b) Let f : 1% — ^ ^2 ^ e randomized bitwise partitioned, i.e. \mi\ = \rii\ = 1 
for all i < £. Then [x, z, f(z) h f{x)] > 2-^ x - z \ where A(x, z) = #{i\x ^ z} 
is the Hamming distance. 

A consequence of Prop. [572] is that a proximity authentication protocol, im- 
plemented using a partitioned function R to compute the response r VP x — 
R(s VP , c VP x), cannot be secure in an absolute sense, because the response may 
be guessed with a non-negligible probability from the other responses r VP z. 
Moreover, it seems that the attacker can always obtain some other responses 
r vp z by impersonating Victor and issuing challenges c VP z. 
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Lemma 5.3 A randomized boolean function f : Z 2 — > l} 2 is bitwise partitioned 
if and only if for every i £ Zj it holds that 

f(x) = xS(f(O e ) :: f(l e )) (10) 

where EH is the Hancke-Kuhn function (Qp, and 0,1 £ l\ are ^ e strings of Os 
and Is, respectively. 

Bitwise partitioned functions with a minimal guessing probability can now 
be completely characterized: they turn out to be precisely the Hancke-Kuhn 
functions (fTJ) for which the values at and at 1 are independent. 

Proposition 5.4 Suppose that f : ll 2 — ^ ^2 * s a randomized bitwise parti- 
tioned function such that \x _L /(0 ) :: /(l^)] ■ Then for fixed z and 1 e Z': 

[x,z,f(z) h /(*)] = 2~ A M (11) 

if and only if for every i < £ it holds that 

[/ i (0)J./ i (l)] and [/ i (l)J./ i (0)] (12) 

Remark. In a sense, a;EB(— ) : Z 2 l — > T, l 2 i s thus a "one- and- half- way function" , 
since x EH h discloses only one half of the bits of h. 

On the other hand, (— ) EH h : Z 2 — > 1% is not only an example of a bitwise 
partitioned function, satisfying the needs of the Hancke-Kuhn protocol, but it 
is a canonical way to represent such functions. 



5.2 Guessing x EH h 

We now consider the probability of guessing x EH h given various sorts of infor- 
mation that may be learned in the Hancke-Kuhn protocol. 

Definition 5.5 a) For x e Z| and I C I = {0, 1, 2, ... I- 1} we define x® 1 E Z e 2 
to be the bit string obtained by replacing for all i G I the bits x% with a "wild 
card" ® 

x m = f® if 3 6 1 
3 1 Xj otherwise 

b) For h = :: where h^\h^ G ll 2 we define the kernel nh to be the 

set of places where its first and its second half coincide, e.g. 

Kh = {i e £ I hf ] = hf ] }. 

We make use of these definitions in the following. 

Proposition 5.6 Suppose that h the concatenation of two constant £ -bit streams, 
and x is a uniformly distributed £-bit stream. Then 
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(a) [h h xBh] £ = 2\ Kh \- 1 

(b) [x,h h X mh] t = [x® Kh ,h h xSh] 

The following lemma concerns the problem of deriving x EH h from z EH h for 
some z. 

Proposition 5.7 Let h be the concatenation of two uniformly distributed i-bit 
streams, let x be a uniformly distributed i-bit stream, and let z be any i-bit 
stream. Then the following holds. 

[zSh h xSh] g = [z,zSh h xmh] e = 

6 Security of Hancke-Kuhn 

We quantify the security of the Hancke-Kuhn protocol by evaluating Prob(crp), 
i.e. the probability that the sequence of events in a complete protocol run 
validates the following reasoning of Victor's 

V : {vx)v > z{ x )v > t(x EH h)v 

==> {{vx) v > z{x)v > {x)p > (a; EH h)^ > r(x EH h)vj (crp) 

corresponding to the run on Fig. [TJ In order to evaluate this probability, we 
analyze the probability that (crp) fails. How can it happen that Victor observes 
a satisfactory sequence of his own actions 

V = (yx) v >t(x) v >f(xmh) v (13) 

but that the desired run 

O = T(x) v t>{x) P t>(xSh)^>T(xmh) v (14) 

did not take place? There are just two possibilities: 

A: the responder does not know the secret s, i.e. he is the .Attacker, 

£ : the responder knows the secret s, i.e. he is Peggy, but the response is sent 
£arly, without receiving the challenge. 

The remaining case, that the responder is Peggy, and she responds to the chal- 
lenge, is just the event O. Thus -^O = A U £. It follows that 

Prob(crp) = Prob(C|V) = 1 - Prob(A U £\V) 

> 1 - Prob(^|V) - Prob(£|V) (15) 

The (in)security of the Hancke-Kuhn protocol thus boils down to evaluating 
Prob(yl|V) and Prob(£|V). The following lemmas and propositions show that 
these probabilities are negligible. The proofs are in the Appendix. 
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Response token. Recall that Peggy's response token h — H(s :: a :: b) is 
derived from the shared secret s, Peggy's counter a, and Victor's counter 6, using 
a secure public hash function H . In this section, h abbreviates H(s :: a :: b). 

Assumption 6.1 The above decomposition of -<0 as A U £ is valid only if 
h = H(s :: a :: b) is such that 

• \s\ ^> x|, i.e. attacker's chance to guess the secret s is negligible compared 
with his chance to guess the challenge x; 

• the counters a and b are never reused (although they may be predictable). 
Otherwise, the attacker may guess h, and ->0 may not be covered by A U £ . 

6.1 Guards in undesired runs 

In order to evaluate Prob(crp), we need to determine the probability that the 
correct response x EH h is guessed in the undesired runs A and £. Towards this 
goal, we explore what can be guessed in the term contexts (cf. Def. l3.3p A(xSh) 
and £{x). The following lemmas simplify this question. 

Lemma 6.2 (a) Let A be an attack run with a long term secret s, Peggy's 
counter a, Victor's counter b, and Attacker's challenge z, for which he obtains 
the response zWh, where h — H(s :: a :: b). Then for any S C A(x EB h) it holds 
that 

[ShiS/i] = [S n {s, a,b,x,z,zSh} hiffl h] 

(b) Let £ be a run with a long term secret s, Peggy's counter a, Victor's 
counter b, and where Peggy responds early. Then for any 3 C £(x) it holds that 

[Shiffl/i] = [S n {s, a, b} h x ffl h] 

Lemma 6.3 For h = H(s :: a :: b) and T C {z, z ffl h} it holds that 

[xmh] t = [x,z h xmh] t = 2- e (16) 
[a,b,s,x® Kh h xmh] = 1 (17) 
[a,b,s,x,T h xffl/i] =1 (18) 

Proposition 6.4 {{s}, {2: ffl /i}} guards x ffl /i within >t(x ffl /i) 

Proposition 6.5 {{x®" 71 }} guards x EH /i within £(x) 

The guards displayed in the preceding Propositions will now be used to 
evaluate Prob(V|*4) and Prob(V|£), i.e. the probabilities that the authentica- 
tion may fail because the .Attacker breaks it, or because Peggy's succeeds in 
responding £ arly. 



21 



6.2 Bounds on undesired runs 

Proposition 16.41 and the definition of probabilistic guards say that, for a given 
challenge x, the probability that an Attacker can violate authentication is 
bounded above by 

[$ h s] ■ [$, s h x EH h] or by 
[$hzffl/i]-[$,zffi/ihiffl/i] 

where $ = {a, b, z, zEB/i}. The first quantity is clearly negligible. We must show 
the same for the second. 

Likewise, Proposition ^ . 5l implies that the probability that Peggy can respond 
£arly is bounded above by 

[s, a, b h x® Kh ] • [s, a, b, x® Kh h x EH ft] 

Note that in the attack run .A, the Attacker cannot learn x until after she has 
created z. The distribution of z is thus independent from that of x. 

Proposition 6.6 Suppose that the Attacker, before receiving Victor's challenge 
x, can pick her own challenge z and obtain a single response z EH h. Then the 
stream of expected probabilities Prob(V|A) that the Attacker can deceive Victor 
by guessing x EH h is indistinguishable from the stream of probabilities p defined 
by 

This means that Prob(V|A) is negligible. 

Proposition 6.7 The stream of expected probabilities Prob(V|£) that Peggy can 
deceive Victor by guessing and sending her response before she receives the chal- 
lenge is indistinguishable from the stream q defined by 

This means that Prob(V|£ ) is negligible. 

Note in particular that this means that in both cases the stream of prob- 
abilities is indistinguishable from zero, since the stream (|) is itself indistin- 
guishable from zero. 

The final result is obtained by putting Propositions 16.41 and 16.61 together. 

Theorem 6.8 Suppose that the Hancke-Kuhn protocol is realized in such a way 
that it satisfyes \6.1l and does not always fail for trivial reasons: i.e., there 
are some sessions with an honest prover Peggy and an honest verifier Victor. 
Formally, this means that there are C, D G (0,1) such that 
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• Prob(-4), Prob(£ ) < C, i.e. not every response is from an Attacker, or 
too Early, 

• Prob(V) > D, i.e. Victor sometimes observes a satisfactory run and 
accepts. 

Then Prob(crp) is indistinguishable from 1. In other words, the Hancke-Kuhn 
protocol achieves authentication almost certainly. 

7 Conclusion 

We have presented a framework for extending algebraic cryptographic models 
to probabilistic models and used it to construct a probabilistic extension of the 
Protocol Derivation Logic. We have illustrated it by applying it to an analysis of 
the Hancke-Kuhn distance bounding protocol. We expect that it will be useful 
in the analysis of many other protocols that rely on weak cryptography to take 
advantage of non-standard communication channels. 

We should also point out that the potential applications of our framework go 
far beyond purely probabilistic extensions. The main thing that needs to be done 
to make our framework applicable to computational models is to define a notion 
of feasibly computable functions, so that guessing probability can be defined in 
terms of feasible function streams instead of all possible function streams. We 
have defined such a notion and are currently investigating its applications to 
protocols. In future work, we expect to present a more general framework that 
can incorporate a wide range of methods of cryptographic reasoning. 

Acknowledgement. We are grateful to Joshua Guttman, John Mitchell, Mike 
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of this paper, and for valuable suggestions towards improvements in presenta- 
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A Appendix: The Proofs 

Proof of Prop. 14.81 Let fi and gi be randomized functions. Consider the sets 

f = { X t I UW\xi = Wlxti and G = W I gel^U = 

Claim 1. If for x,y £ X(E,T) and rji such that ^[S, TJ^ = [0]^ holds 
T]i(x) = rji{y), then for rji, which is equal to rjg everywhere except on 
rfi(x) ^ fj e (y), holds that ^[H,r]^ = [8]j^, for g modified accordingly. 
(Intuitively, separating two pieces of input can only provide more infor- 
mation, not less.) 

Claim 2. If /e[3] x < = lT} x e} and dom(xi>) C dom(?#), with xt{x) ^ Xi(y) => 
t]i(x) ^ T]i(y), then fi can be precomposed with a permutation to yield fi 
with dom(f e ) C dom(%) and fi^E}^ = [r]^}. 

The consequence of these claims is that we can modify ft and gi to fi and gg 
so that #F = #F and # = G. 

Now let hg{x) = fe(x) :: gi(x :: y). Since thus 

- {mu)::{ 9 mu----mu)) = 

holds, we have 

#{ m 1 fti-it = [tm #{ m | g <[5,r]^[eM 

2lH,r,e| f 2l H > r > e l* 

#fa I htjSle = [T,6M 
2l H -r,eU 

The inequality [H h T] • [S,T h 0] < [S h T, 0] follows by observing that 

#{ m I ftlEjt = |TH #fo I Mgjj = FM 

2is,r,e|< 2l H ' r 'l* 

□ 

Proof of Prop. [5.21 For (a), X{ — z% yields fi(xi) = fi(zi), so we only need to 
guess at most n — rii bits. For (b), Xi and Zi are bits, and n — A(x, z) of them 
are equal, so we only need to guess at most A(x, z) bits. □ 

Proof of Lemma El {f{x)) l = ftfa) = (xffl(/(0*) :: f(l t ))) l holds by 
the definition of bitwise partitioned functions at the first step, and by ([I]) at the 
second step. □ 
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Proof of Prop. 15.41 Assumptions (fT2"j) say that 

Xi ^ Zi > [x^, fi(Zi) \~ fi{%i)\ = \%i ^~ fii%i)\ 

On the other hand, by definition, the components of a partitioned function are 
mutually independent. Hence 

l £ 

[x,z,f(z) h f(x)] = ]J[x,z,f(z)\- fi( Xi )] = H [a* h /,(x«)] 

i=l i=l 

= n - = 2~ a{z ' x) 

A(z,x) 

The other way around, using (fTTj) at the second step, we get 

e 

J] [x,z,f(z) h fi(xi)] = [x,z,f(z) h f(x)] = 2~ A ^ 
i=i 

e 

i=l 

which, with the componentwise independence, yields (|12[) . □ 

Proof of Prop. EH Note that for each i e nh, the bit (x ffl h) t = hf ] = hf ] 
does not depend on ccj. This means that x ffl /i only depends on x® Kh . □ 

Proof of Prop. 15.71 Guessing x ffl ft. from z and zSh can be modeled as a version 
of the Monty Hall problem [33] , where Monty randomly selects x and h and the 
contestant chooses z. Monty then announces zSh and the contestant guesses 
x ffl h. 

Since the bits of xffl are independent, it is enough to consider the case £ = 1. 
Monty then flips three fair coins to pick the secret bits x, h^°\ and while 
the contestant picks a bit z. Monty then announces z mh = h {z \ Should the 
contestant now guess that xffl/i = zfBh, or should he switch to xffl/i = -i(zffl/i)? 

Denote by q the probability that the contestant picks xffl h — z ffl h. 
the contestant wins with this choice, because the value x ffl h is the same 
for every x. Since and M 1 ) were randomly chosen, Prob(ft/°) = h^- 1 ') = ~. 
Otherwise, if ^ ft/ 1 ), then x ffl ft = z ffl h holds if and only if x = z. Since x 
is random, Prob(x = z) = |, and hence Prob(M°) ^ ftA 1 ) A x = z) = \, because 
ftA°), hS l > and x are independent. 

The probability that the contestant will make a correct guess is thus 

q ■ (Prob = ft«) + Prob (ft(°> ^ ft« A x = z)) = ^ 
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To maximize this probability, the contestant needs q — 1 , and should thus stick@ 
with Monty's bit zSh. 

The proof for \z ffl h h x EE h] differs just in the detail that z is not chosen 
by the contestant, but obeys some unknown distribution. However, x is still 
independent of z. Thus for some p, Prob(x = z) = Prob(x = 0) • Prob(z = 
0) + Prob(x = 1) • Prob(z = 1) = \p + \{l - p) = \, □ 

Proof of Lemma \Q.2V a). By assumption, the outputs of the hash function H 
are indistinguishable from random strings, and thus satisfy [H(u) _L H(v)] for 
all 

Recall that A(x EH h) is the union of the contexts observed by the possi- 
ble participants in the run A, before x ffl h is known. Besides s, known by 
Victor and Peggy, and a, b and x, announced publicly but never reused, the 
context A(x ffl h) thus also contains a single additional challenge z, issued by 
the Attacker, and the corresponding response z ffl h (provided by Peggy before 
she receives Victor's challenge x). 

Moreover, the Attacker may issue a family Y C ll 2 of additional challenges 
to Peggy, and construct a list {b y } y& Y of the future values of Victor's counter. 
To each new challenge, Peggy will respond with y ffl h y , where each response 
token h y = H(s :: a y :: b y ) is derived using a new value of the counter a y . By 
assumption, [h y _!_ h] holds for all y. Independently of the distance of Y and 
the challenge x, the responses y ffl h y will provide no information about x ffl h. 
In summary, the term context A(x ffl h) is thus 

{s, a, b, x, z, z ffl h} U {y, a y , b y , y ffl h y \ h y — H{s.a y .b y ) Aye Y} 

for some Y C Zj, where a : Y — > Z2 is injective, and b : Y — > Z£ arbitrary. The 
assumption about H implies [y, a y , 6 y , j/ ffl h y _L a; ffl /i] , which further tells that 
for any E C A(xS h) 

{s,a,6,z,zffl/i}nS = =*> [S _L xBh] 

and we are done. 

The proof of \Q.2\f b) is analogous, but slightly simpler, elaborating the fact 
that obtaining one challenge tells nothing about another one. □ 

Proof of Lemma 16.31 Since h is indistinguishable from random, the bits of any 
hi are indistinguishable from independent. The probability of guessing any 
chosen substring of length I in h is indistinguishable from 2~ l . In particular, 
the probability of guessing xi ffl hi for a chosen xg is indistinguishable from 
2~ £ . Knowing which substring is being guessed presents no advantage, and thus 
[x t hi,l hi] = 2~ l . 

Equations ([T7]) and ([18]) follow from Prop. EH □ 

5 This solution is in contrast from the original Monty Hall problem 1361 . where it is advan- 
tageous to switch. The reasoning is, however, quite similar. 
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Proof of Prop. 16.41 The claim follows from the fact that each set 3 C A(x ffl h) 
such that Adv[S h x EH h\ > satisfies at least one of the following inequalities: 

[ShiE/i] < [3 h s] ■ [5, s h x EH h] (19) 
[3 h a; ffl h] < [3 h z ffl /i] • [H, z EH /i h or ffl h] (20) 

According to Lemma 16.2( a) for each subset 3 of A(x ffl h) such that a € 3, it 
suffices to consider the set 5 n {s, a, b, x,z,zS h}. Once the problem is reduced 
this far, the rest follows by case analysis, using Lemma [5751 □ 

Proof of Prop. 16.51 The claim is that each 3 C £{x) such that Adv[S h xSh] > 
satisfies 

[5 h x ffl h] < [5 h x® Kh ] ■ [5, x® Kh hjHA] (21) 

Lemma lo r T27 b) says that it suffices to consider Sn{s, a, b} if a 6 5. Thus, we only 
need to consider the subsets of {s, a, 6}, and since b is deterministic, this reduces 
to the subsets of {s, a}. The assumption that the stream h is indistinguishable 
from random implies [3 h x&h\ , — 2~~ e whenever 5 is a proper subset of {s, a}. 
So (|2~T|) holds trivially in that case. For 5 = {s, a}, using Prop. HTBl and Lemma 
IQ1 we have [ShiBli^ = [Eh a;® K/l ]^ = 2l K,l l^ and on the other hand 
[5, x® Kh \~ xmh] e = l. Hence (21). D 

Proof of Prop. [Uni Since Prob(x £ Zj) = by assumption, and \x, z, z ffl 
/ihiffl/i] = 2-^ z ^ by (TT), h follows that 



□ 



Proof of Prop. [6~7l By hypothesis the token /i = i/(s :: a :: 6) is indistin- 
guishable from a random value. Since [s,a, b.Lx] also holds by assumption, 
[s, a, b r xffl/i] = [/i h iS/i] follows, because s, a, 6 can only be useful to derive 
h = H(s :: a :: 6). But Prop. [STBT a) then implies that [s,a,b h x ffl ft,]. = 2* , 
where z = |/t/i|. The expected value that Peggy will guess x ffl /i are averaged 
over the possible values of h, and hence 

J2 ^2 2- l [h\-xmh] t = 2- e -Y,(% 1 - e = 2- 2e -3 e = 

□ 




30 



Proof of Thm. 16.81 By (|15l) . to prove the Theorem, it suffices to show that 
both Prob(.4|V) and Prob(£|V) are negligible. The Bayes' Theorem and the 
hypotheses imply 

Pmb(AW) = Prob (V I A) ■ Prob(^l) Prob(V \ A) ■ C 
{ 1 ' Prob(V) " D 

Since Prob(V|^4) is negligible by Prop. 16.61 Prob(.4|V) is negligible too. The 
fact that Prob(£|V) is negligible follows in the same way from Prop. 15771 □ 
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